1. The Field of the Invention
The present invention relates to systems and methods for verifying the authorization of a server to provide network resources to a client. More specifically, the present invention relates to systems and methods whereby the client compares a random number encrypted in a message sent to the server with a random number encrypted in a message sent to the client from the server, wherein the client determines that the server is authorized if the random numbers are the same.
2. The Prior State of the Art
During recent years, the use of computer networks to distribute information to users has increased dramatically. For example, the Internet is currently used for many purposes, including electronic commerce, delivery of news, entertainment, and education, to name just a few. Many Internet service providers ("ISPs") and content providers have found that accurate identification of users is necessary to support subscription services. When a client establishes communication with an ISP, the server at the ISP typically verifies that the client is recognized as one that has duly subscribed to the Internet service. Likewise, many World Wide Web ("Web") sites are available to users by subscription only. When a client attempts to access a subscription-based Web site, the client may be prompted to verify that it is authorized to receive content from the site.
Verification of the identity of clients has been accomplished in many ways. A simple example involves the client transmitting to the server a user name and a password that has been previously registered with the server. If the user name and password match a registered user name and password stored at the server, the client is allowed access to the network resources. More advanced security systems include, for example, transmitting a client machine identifier from the client to the server or other techniques whereby information associated with the client verifies the identity of the client.
Verifying the identity and authorization status of clients allows ISPs and content providers to collect subscription fees from users. Without a reliable system to verify authorization of clients, non-authorized users could access service, and legitimate users may have little incentive to pay for service.
There are some network configurations and business models that require security measures beyond the typical client-identification strategies described above. In some instances, it is desirable to identify the authorization of the server to provide network resources to the client. For a variety of reasons, suppliers or manufacturers of certain client systems may desire to allow only selected servers to provide network resources to their client systems. In one example, a provider of enhanced Internet, television, or other information or entertainment services may develop a client system specifically designed to receive its information or entertainment resources. In this example, the supplier of the client system can be seen primarily as the provider of the information or entertainment services, while the client system can be seen as a tool allowing users to gain access to the provider.
The traditional security strategy of providing user names, passwords, or other identifiers is inadequate when applied to the verification of authorization of a server to provide network resources. As can be easily understood, simple identifiers are not readily applicable to configurations where a single or a small number of servers provide service to a large number of clients. In particular, if a server were to widely distribute an identifier to multiple clients, an imposter server could easily intercept the identifier and attempt to adopt the identity of the authorized server.
In addition, the entity that desires to control access by unauthorized servers is often not the client, but is instead the operator of the authorized server. When an unauthorized server attempts to gain access to client systems, the operator of the authorized server may not be aware of the attempt. Accordingly, if conventional security systems were the only available means of protection, the client system and the operator of the unauthorized server could collude to override the security system. As a result, any security system that is freely accessible by the operators of client systems or unauthorized servers could be breached relatively easily.
In view of the foregoing, what is needed is a system for verifying the identity or authorization of servers to provide network resources to client systems. It would be an advancement in the art to provide a system for verifying the authorization of servers that is not merely analogous to the conventional use of identifiers to verify the identity of clients. It would be particularly advantageous to verify the authorization of servers using a security system that cannot be readily accessed or overridden by an operator of the client system. It would also be desirable to combine such a system for verifying the authorization of servers with a system for verifying the identity of clients.